diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 8eebaa19db..7be989f87f 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -883,8 +883,9 @@ openstack_auth: auth_url: "{{ keystone_internal_url }}" username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" - user_domain_name: "{{ default_user_domain_name }}" - system_scope: "all" + project_name: "{{ keystone_admin_project }}" + domain_name: "default" + user_domain_name: "default" ####################### # Glance options diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2 index 3da301ceff..a64c464895 100644 --- a/ansible/roles/freezer/templates/freezer.conf.j2 +++ b/ansible/roles/freezer/templates/freezer.conf.j2 @@ -15,9 +15,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d os_username = {{ openstack_auth.username }} os_password = {{ openstack_auth.password }} os_auth_url = {{ openstack_auth.auth_url }} -os_project_name = {{ keystone_admin_project }} -# TODO: transition to system scoped token when freezer supports that -# configuration option, os_project_domain_name should be removed. +os_project_name = {{ openstack_auth.project_name }} os_project_domain_name = {{ default_project_domain_name }} os_user_domain_name = {{ openstack_auth.user_domain_name }} {% endif %} diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml index d4b630df1c..bead3e918d 100644 --- a/ansible/roles/heat/defaults/main.yml +++ b/ansible/roles/heat/defaults/main.yml @@ -235,7 +235,7 @@ heat_ks_roles: - "{{ heat_stack_user_role }}" heat_ks_user_roles: - - project: "{{ keystone_admin_project }}" + - project: "{{ openstack_auth.project_name }}" user: "{{ openstack_auth.username }}" role: "{{ heat_stack_owner_role }}" diff --git a/ansible/roles/heat/tasks/bootstrap_service.yml b/ansible/roles/heat/tasks/bootstrap_service.yml index 4aa7ea9132..dc7038c12f 100644 --- a/ansible/roles/heat/tasks/bootstrap_service.yml +++ b/ansible/roles/heat/tasks/bootstrap_service.yml @@ -15,8 +15,8 @@ OS_INTERFACE: "internal" OS_USERNAME: "{{ openstack_auth.username }}" OS_PASSWORD: "{{ openstack_auth.password }}" + OS_PROJECT_NAME: "{{ openstack_auth.project_name }}" OS_USER_DOMAIN_NAME: "{{ openstack_auth.user_domain_name }}" - OS_SYSTEM_SCOPE: "{{ openstack_auth.system_scope }}" OS_REGION_NAME: "{{ openstack_region_name }}" OS_CACERT: "{{ openstack_cacert | default(omit) }}" HEAT_DOMAIN_ADMIN_PASSWORD: "{{ heat_domain_admin_password }}" diff --git a/ansible/roles/ironic/tasks/upgrade.yml b/ansible/roles/ironic/tasks/upgrade.yml index e4e268f4a0..0e020b9df0 100644 --- a/ansible/roles/ironic/tasks/upgrade.yml +++ b/ansible/roles/ironic/tasks/upgrade.yml @@ -9,7 +9,7 @@ --os-password {{ openstack_auth.password }} --os-identity-api-version 3 --os-user-domain-name {{ openstack_auth.user_domain_name }} - --os-system-scope {{ openstack_auth.system_scope }} + --os-system-scope "all" --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} baremetal node list --format json --column "Provisioning State" diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index 9640088948..d3b15fe6fd 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -3,7 +3,7 @@ become: true command: > {{ kolla_container_engine }} exec keystone kolla_keystone_bootstrap - {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }} + {{ openstack_auth.username }} {{ openstack_auth.password }} {{ openstack_auth.project_name }} admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }} register: keystone_bootstrap changed_when: (keystone_bootstrap.stdout | from_json).changed diff --git a/ansible/roles/keystone/tasks/register_identity_providers.yml b/ansible/roles/keystone/tasks/register_identity_providers.yml index 4695ab2576..180f9e9607 100644 --- a/ansible/roles/keystone/tasks/register_identity_providers.yml +++ b/ansible/roles/keystone/tasks/register_identity_providers.yml @@ -7,7 +7,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} @@ -28,9 +28,9 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} mapping delete {{ item }} @@ -64,7 +64,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface {{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} @@ -85,7 +85,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} @@ -106,7 +106,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }} {% endif %} @@ -127,7 +127,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} @@ -147,7 +147,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} @@ -170,7 +170,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface {{ openstack_interface }} - --os-system-scope {{ openstack_auth.system_scope }} + --os-system-scope "all" --os-user-domain-name {{ openstack_auth.user_domain_name }} --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }} {% endif %} @@ -192,7 +192,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} @@ -214,7 +214,7 @@ --os-username={{ openstack_auth.username }} --os-identity-api-version=3 --os-interface={{ openstack_interface }} - --os-system-scope={{ openstack_auth.system_scope }} + --os-system-scope="all" --os-user-domain-name={{ openstack_auth.user_domain_name }} --os-region-name={{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert={{ openstack_cacert }}{% endif %} diff --git a/ansible/roles/murano/tasks/import_library_packages.yml b/ansible/roles/murano/tasks/import_library_packages.yml index ba8ce43e3b..4b9df1cbeb 100644 --- a/ansible/roles/murano/tasks/import_library_packages.yml +++ b/ansible/roles/murano/tasks/import_library_packages.yml @@ -18,7 +18,7 @@ {{ kolla_container_engine }} exec murano_api murano --os-username {{ openstack_auth.username }} --os-password {{ openstack_auth.password }} - --os-system-scope {{ openstack_auth.system_scope }} + --os-project-name {{ openstack_auth.project_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_internal_endpoint }} @@ -34,7 +34,7 @@ {{ kolla_container_engine }} exec murano_api murano --os-username {{ openstack_auth.username }} --os-password {{ openstack_auth.password }} - --os-system-scope {{ openstack_auth.system_scope }} + --os-project-name {{ openstack_auth.project_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_internal_endpoint }} @@ -50,7 +50,7 @@ {{ kolla_container_engine }} exec murano_api murano --os-username {{ openstack_auth.username }} --os-password {{ openstack_auth.password }} - --os-system-scope {{ openstack_auth.system_scope }} + --os-project-name {{ openstack_auth.project_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} --os-auth-url {{ openstack_auth.auth_url }} --murano-url {{ murano_internal_endpoint }} diff --git a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml index 1729eed390..4e6bb2417b 100644 --- a/ansible/roles/nova-cell/tasks/wait_discover_computes.yml +++ b/ansible/roles/nova-cell/tasks/wait_discover_computes.yml @@ -11,11 +11,12 @@ {{ kolla_container_engine }} exec kolla_toolbox openstack --os-interface {{ openstack_interface }} --os-auth-url {{ openstack_auth.auth_url }} + --os-project-domain-name {{ openstack_auth.domain_name }} + --os-project-name {{ openstack_auth.project_name }} --os-username {{ openstack_auth.username }} --os-password {{ openstack_auth.password }} --os-identity-api-version 3 --os-user-domain-name {{ openstack_auth.user_domain_name }} - --os-system-scope {{ openstack_auth.system_scope }} --os-region-name {{ openstack_region_name }} {% if openstack_cacert != '' %}--os-cacert {{ openstack_cacert }}{% endif %} compute service list --format json --column Host --service nova-compute diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index 7b12e7aa6b..06a635e960 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -149,9 +149,6 @@ amqp_durable_queues = true {% endif %} [oslo_policy] -# TODO(priteau): Remove enforce_* once secure RBAC is supported -enforce_new_defaults = False -enforce_scope = False {% if service_name in nova_services_require_policy_json and nova_policy_file is defined %} policy_file = {{ nova_policy_file }} {% endif %} diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst index 5485bb3246..dcee26d162 100644 --- a/doc/source/user/multi-regions.rst +++ b/doc/source/user/multi-regions.rst @@ -76,7 +76,8 @@ the value of ``kolla_internal_fqdn`` in RegionOne: username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" user_domain_name: "{{ default_user_domain_name }}" - system_scope: "all" + project_name: "{{ keystone_admin_project }}" + domain_name: "default" .. note:: diff --git a/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml new file mode 100644 index 0000000000..d790a39fb0 --- /dev/null +++ b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + OpenStack services (except Ironic and Keystone) stopped supporting + the system scope in their API policy. Kolla who started using the + system scope token during the OpenStack Xena release needs to revert + it and use the project scope token to perform those services API + operations. The Ironic and Keystone operations are still performed + using the system scope token.